"Policy-based security management" refers to the application of a governing set of rules at strategically located "chokepoints" for the purpose of enforcing security boundaries between two or more networks, such that only those events meeting certain criteria may pass between them, while all other events are denied passage. For network operations, this filtering process selectively discards packets in order to control access to a network as a whole, or to network resources such as files and devices. Variations and improvements of this basic concept have resulted in devices commonly referred to as "firewalls," which are network components that provide a security barrier between networks or network segments. Much like a guard at a checkpoint, the firewall strictly enforces rules specified within an established policy for what is to pass on a case-by-case basis. The policy may dictate that other actions apply as well, such as logging a security event and/or sending an urgent electronic mail message notifying appropriate personnel of the event.
Security professionals consider firewalls to be essential in the protection of an enterprise's private network or virtual private network from access by unauthorized personnel or "hackers." Like any security measure, however, firewalls are not foolproof. Firewalls focus on the "front door," the Internet, while failing to provide protection for the "back door," the telecommunications access to the data network. Traditional network firewalls provide no protection against unauthorized traffic routed to or from the network through devices such as modems connected to the unprotected telephone lines normally used for voice or fax.
The need for a system and method for controlling access to an enterprise's network through telephony resources that cannot be sufficiently protected by traditional network firewall technology is met by the telecommunications firewall described in U.S. patent application Ser. No. 09/210,347 entitled Telephony Security System. Unfortunately, usually as a result of budget constraints, or the sheer number of telecommunication trunks used by an enterprise, such telecommunications firewalls are often deployed incrementally across an organization, unavoidably leaving pockets of vulnerability created by unprotected telephone lines where the telecommunications firewall has not yet been deployed.
Nearly any individual with either malicious or benign intentions can easily connect a modem to an existing computer system and/or telephone or fax line. A telecommunications firewall monitoring the line on which the rogue modem has been installed will detect and neutralize such a device. However, if the device is installed on what may be one of hundreds or even thousands of telephone lines as-yet uncontrolled and unmonitored by the telecommunications firewall, the device effectively bridges the "untrusted" Public Switched Telephone Network ("PSTN") to an organization's "trusted" data network. Hackers and phreakers will often wardial to find these bridges, then gain access to the data network, potentially stealing and/or destroying valuable data behind the front line protection of both the network firewall and the partially deployed telecommunications firewall.
Although the currently available telecommunications firewalls enforce a security policy against incoming and outgoing calls, they are dependent upon the often understaffed and overworked security administrators to physically investigate a security event, such as traffic from an unknown modem on a designated voice or fax line, in response to the firewall's notification.
Similarly, the current telecommunications firewalls are reactive tools responding to security events, incapable of both proactively looking for unknown modems, and proactively evaluating the vulnerability of known modems operating on extensions the firewall monitors and controls.
Finally, after the security administrator manually performs a vulnerability assessment on an unauthorized modem, if a policy update is warranted, the security administrator must manually update the firewall's security policy himself.
Other security savvy organizations use telecommunications scanners, or "wardialers," to scan their telecommunication lines, searching for unauthorized or vulnerable modems that can be penetrated to gain access to the data network. In addition to performing vulnerability assessments, telecommunications scanners can be used to provide an organization with a "snap-shot" assessment of where modems exist.
Unfortunately, the currently available telecommunications scanners provide only limited visibility because they cannot provide the constant monitoring capabilities offered by telecommunications firewalls. Large enterprises have literally thousands of telecommunications lines that can take over a week to assess, and such infrequent vulnerability assessments cannot provide a continuous and up-to-date representation of the organization's security status.
Additionally, telecommunications scanners only report their findings and cannot enforce a security policy to deny access to or segregate unknown or penetrable modems. Like telecommunications firewalls, scanners are dependent upon the security administrators to physically respond to the scanner's detection of such modems.
Similarly, although they are detection and reporting tools, the currently available telecommunications scanners cannot send email, pager, real-time and/or SNMP alerts, nor can they adjust the security policy in response to their findings. Again, the task falls to the security administrator to analyze the scanner's findings and to manually adjust the scanner's security policy accordingly.
The shortcomings of current telecommunications firewalls and scanners are exacerbated when the previously described scenarios are applied to a globally distributed enterprise. Additionally, as such enterprises attempt to establish and enforce their security policies across their organization, they are challenged to either maintain valuable security personnel in each branch office or struggle to monitor and respond to all branch security events from the home office. One single computer handling all processing of a globally distributed enterprise would be quickly overloaded, and local users would have no control of or visibility into their own security status, so a firewall and scanner management server is most often installed at each location, to divide traffic load and manage a security policy on a more localized basis. Unfortunately, multiple independent firewalls and scanners present the challenge of ensuring the same basic security structure across the entire enterprise as well as the formidable task of consolidating local logging information to provide visibility into important local security events at the highest corporate level.
Neither the current telecommunications firewalls, nor the current telecommunications scanners are singly capable of providing continuous monitoring and policy enforcement with automatic vulnerability assessments in response to security events. Nor are they capable of executing automatic adjustments in the Security Policy in response to these vulnerability assessments. Nor do they offer distributed deployment capabilities that include a multi-tiered policy-based enforcement of the security policy to ensure implementation of a basic corporate-dictated security structure while providing varying degrees of localized control, and to define event visibility and report consolidation requirements. Clearly, what is needed is an integrated, cooperative telecommunications firewall and scanner with automatic policy adjustment and distributed deployment capabilities.